Search This Blog

Sunday, October 20, 2013

Reset Windows user password without original install disk

I rarely boot up into my Windows 7 partition, as most of my work is done under Ubuntu.  However, the occasional time arises where I must do the inevitable.  I had been using my fingerprint reader to login since my original password was long forgotten from when I originally set it.  Typically, one may reset a forgotten password by booting from the install CD or from a USB drive with Windows on it, but I recently came across a way to reset my user account's password without using the original install disk or a USB flash drive.  This method requires that you are already logged in to the computer.  If you have a fingerprint reader, this is easy, or if you have another account, just log in with that one.  If you do not have a way to log in, you must use the CD / USB method.

  1. Start > All Programs > Accessories > Right-click Command Prompt and Run as Administrator
    1. An alternate method is to search for cmd in the "Search programs and files" on the Start menu.
  2. This will open a terminal window, in which you will type:  set username
  3. Use the username it shows in the following command: net user username *
  4. You will prompted two times to enter a password.  Once the password is reset, it will say The command completed successfully.
  5. The password has now been successfully changed.

Monday, October 7, 2013

Ubuntu: Using VNC over SSH

Recently my inherent laziness caused me to start researching a remote desktop like environment from my laptop to my Xubuntu media server.  I wanted to do this so that while sitting in one part of the house, I could remote in to my media server in the back room and rearrange files, perform updates, etc. Essentially, I wanted something to work as a headless environment from the comfort of my couch.

In order to remotely control the desktop, I needed to setup some sort of secure environment.  We all know that VNC by default is not secure.  RDP (Remote Desktop Protocol), mainly used for accessing Windows machines, also has it's flaws.  I started looking into VNC (Virtual Network Computing) over SSH (Secure Shell) tunneling.  My client computer (laptop) is Ubuntu 13.04 and the server I wish to connect to is Xubuntu 13.04.  Please do note that since I'm using Xubuntu, the following instructions may not work for you if you don't use lightdm as a window manager.

  1. Start by installing ssh server on the remote machine:
    1. sudo apt-get install openssh-server
    2. If you are using Webmin to configure your system (highly recommended, see here), it is a fairly simple setup after the install completes.  The default setup will work for now, but we need to lock it down.  More on that in a second.
    3. If you are running Ubuntu on your local machine, you already have the openssh client installed by default.  I cannot speak for Windows, OS X, or other flavors of Linux, but finding a package should be pretty simple using the great interwebs.
    4. In the terminal on your client computer (ie your laptop), generate ssh public and private keys:
      1. mkdir ~/.ssh
      2. chmod 700 ~/.ssh
      3. ssh-keygen -t rsa
      4. You will be prompted for a location to save the keys, and a passphrase for the keys. This passphrase will protect your private key while it's stored on the hard drive and be required to use the keys every time you need to login to a key-based system.
      5. If you do not wish to password-protect your key file (not recommended), just press enter without typing a password.  Remember, if your laptop is ever stolen, a brute force attempt may be made to unlock your key file, and then the server you connect to can be compromised.
      6. Note: Public keys are what you give out to servers.  It is what is used in conjunction with your private key - stored locally - to authenticate.  Under no circumstances should you give out your private key!
    5. Now that you have generated your public and private SSH keys, it's time to transfer your public key to the server:
      1. ssh-copy-id [email protected]
      2. Replace username with the username you login with on the server.  Use the server's local IP address (assuming you're doing this over a LAN) as the host.
      3. When prompted for the password, enter the password associated with the username you provided for that machine.
      4. For more details on steps 4 and 5 above, jump on over to SSH Keys on the Ubuntu Community website.
    6. Great!  You're on your way to having a secure shell environment that's actually secure.  Now, we must proceed with locking down openssh-server:
      1. In Webmin, login to the server and find the SSH Server section.
        1. If you find that SSH Server is in the "Unused" section, click Refresh Modules on the left, bottom.  Now logout and log back in.  You will now find it under the "Servers" section.
      2. Authentication:
        1. Allow authentication by password? No
        2. Permit logins with empty passwords? No
        3. Allow login by root? No
        4. Allow RSA (SSH 1) authentication? No
        5. Allow DSA (SSH 2) authentication? No
        6. Check permissions on key files? Yes
        7. Display /etc/motd at login? No
        8. Ignore users' known_hosts files? No
        9. User authorized keys file: Default
        10. Maximum login attempts per connection: 2
        11. Ignore .rhosts files? Yes
      3. Networking:
        1. Listen on addresses: All addresses
          1. If you have a dedicated IP address for your client, setting this to it's IP would make it even more secure, allowing only connections within the local network.
        2. Listen on port: 22
          1. 22 is the default port for SSH.  If you wish to change this for more security, connecting will become more difficult.
        3. Accept protocols: SSH v2
          1. With modern SSH clients there is no need to enable v1.  In fact, there are known vulnerabilities in older SSH servers, including a CRC32 Compensation Attack.
        4. Disconnect if client has crash? Yes
        5. Time to wait for login? 120 seconds
        6. Allow TCP fowarding? Yes
          1. This sounded insecure to me at first.  But, after further research, it actually encapsulates any traffic based on TCP into the SSH tunnel, making insecure traffic (checking mail, surfing the web) secure.  However, if you're a LAN admin and have other security restrictions in place for network traffic, enabling TCP forwarding would allow one to bypass those restrictions.
        7. Allow connection to forwarded ports? No
      4. Client-Host Options:
        1. If you have not tweaked this section before, the only available option will be All Hosts
        2. Click the Add options for client host link at the bottom.
        3. Enter the host name or IP address of the server
          1. "*" can be used for host names.  ie * will allow SSH to anything on the domain.
        4. Compression level: Worst
          1. Setting it to anything else will consume unneeded CPU cycles on a fast network and actually slow down file transfers when using scp
        5. Use privileged source port? No
          1. By default SSH clients will use the privileged source port when connecting, which indicates to the server that it is a trusted program and thus can be relied on to provide correct information about the user running it. This is necessary for rlogin-style authentication to work, but unfortunately many networks have their firewalls configured to block connections with privileged source ports, which completely blocks SSH. To have the clients use a normal port instead, select No for the Use privileged source ports? field. Unless you are using host-based authentication, this will cause no harm.
        6. All other options can be left as default.
      5. Access Control:
        1. Select the users you want to allow to connect, or type them in using commas to separate. "?" can be used as a wildcard.  ie admin_? will allow any users starting with admin_ to connect.
      6. Once you have made all of these changes, Stop Server and Start Server from the module's index page to apply the changes.
    7. SSH-server is now configured and locked down using Webmin, you have generated and published your keys from the client to the server, and are ready to move on to configuring VNC over SSH.  But first we must verify that all the changes just made didn't break our SSH connection
      1. ssh [email protected]
      2. You will be prompted with something like:
      3. The authenticity of host '10.0.X.XX (10.0.X.XX)' can't be established.
        ECDSA key fingerprint is XX:XX...XX.XX.
        Are you sure you want to continue connecting (yes/no)?
      4. Note: Don't panic!  You are connecting to an "unknown" server using only your key for the first time.  Unless some hacker is really efficient at setting up a man-in-the-middle attack on your server between the time you installed the ssh-server to now, you are most likely connecting to what you intended to connect to.
      5. Type yes
      6. Warning: Permanently added '10.0.X.XX' (ECDSA) to the list of known hosts.
        Permission denied (publickey).
        1. I didn't expect this error.  Upon exiting and logging in again, all was well with the world and I did not receive the same error.
      7. Once you have established a connection successfully, we can move on.  Type exit and execute until you are cleared away from the SSH session.
    8. We will log back into the remote shell, but this time we will use trusted X11 forwarding (-Y option) in order to use a graphical text editor.
      1. ssh -Y [email protected] 
      2. x11vnc -storepasswd
        1. Enter a secure password, and again to verify it.
        2. Store this password as /etc/x11vnc.pass (not the default location)
        3. sudo chmod 744 /etc/xllvnc.pass
      3. cd /etc/lightdm
      4. sudo gedit lightdm.conf
        1. Assuming gedit is installed on your machine.  If not, use whatever text editor is installed, or vi if you are comfortable with that.
      5. Append the last line to your file, so that it looks like this:
        1. Save and close
        2. Note: If this step were skipped, x11vnc will not start after rebooting your server and must be manually started after logging in locally.  Some may wish to do this as an extra layer of security.
      6. sudo service lightdm restart
      7. Now the service is running and will run each time your computer starts.
    9. Back on your local computer (outside the SSH session), you will want to bring the remote display to you:
      1. Install SSVNC from the Ubuntu software center for your local VNC viewer.
      2. In the VNC Host:Display field:
        1. [email protected]
        2. I found it to work best if you let the software decide the display port rather than attempting to connect to [email protected]:displayPort (ie [email protected]:0 as the instructions tell you to do).
        3. Enter your VNC password that you set above when prompted.
  2. Assuming you have not encountered any errors - as I did while writing this - you should be viewing your server remotely!
    1. To stretch / shrink the display:
      1. F8 > Scale Viewer > auto or fit depending on your preference.
    2. Full screen view:
      1. F9
    3. To close the remote viewer but leave you logged in on the server, simply close the window.  If you wish to log out, do that normally as well.
As with all my tutorials, if you have questions or run into issues, please let me know in the comments section below.

Thursday, July 25, 2013

Updating your Verizon Galaxy Nexus ROM

This quick tutorial is for owners of a rooted Galaxy Nexus running the SlimROM custom ROM and are on Verizon (toro).  These steps may work for other devices running the same ROM, but I make no guarantees as this is written for a friend as a reference.

  1. Go to Settings > SlimCenter > SLIMOTA tab
    1. Download SlimBean by clicking the link (which will bring you to their website), select the most current OFFICIAL build (Slim-toro-4.?.?.build.?-OFFICIAL), and click the blue Download button.
    2. Go back to SlimCenter and click Download gapps.  On the web page, select AIO_Addons.4.?.?.build.?.?.   Again, click the blue Download button.
  2. Both of these files will show their download progress in the Notifications drawer.
    1. While these are downloading, open ES File Explorer
    2. Browse to the RootStuff folder I created.  If it isn't there, just create a new folder named RootStuff (or whatever you want to call it, as long as you remember the name).
    3. Delete any old Slim-toro or AIO_Addons zip files that are stored there.
  3. Once the 2 updates have finished downloading, they will be in your Download folder.  Select both of them by long-press, then cut and move them to the RootStuff folder.
  4. Open ROM Manager
    1. Reboot into Recovery
  5. In Recovery (use volume buttons to navigate and power button to select if you have not purchased the touch version):
    1. wipe cache partition
    2. advanced > wipe dalvik cache
    3. ++++Go Back+++
    4. install zip from sdcard
    5. choose zip from sdcard
    6. 0/
    7. RootStuff
    8. Slim-toro-4.?.?.build.?
    9. Once that is complete, it should bring you back to the RootStuff folder. If not, navigate to that folder again.
    10. AIO_Addons.4.?.?.build.?.zip
    11. Again, you should still be in the RootStuff folder once that is complete.
    12. +++Go Back+++
    13. +++Go Back+++  (at the bottom of the folder list)
    14. +++Go Back+++
    15. +++Go Back+++
    16. reboot system now
  6. Once your phone is back up, it will say that it is optimizing your apps. 
  7. Once it has finished (~5 min), you are done.
A couple of quirks:
  • I always have to re-download Google Search from the Play Store to get the search bar on my home screen to work and to enable Google Now.  I have submitted this bug report to their forums with no reply.  Easy fix though. 
  • Some apps when trying to update will give an error (triangle with exclamation mark in the notifications drawer).  Simply click on the error, which brings up the app in Google Play Store, and update manually from the store.
  • If you use Google Voice for voicemail (which I highly recommend), you should open the app to reactivate it after upgrading your phone.  Otherwise you may or may not receive notifications of voicemails automatically.
Let me know if you have any issues and I can update this guide.

Saturday, June 22, 2013

Monitoring APC UPS Batteries using Webmin on Ubuntu

I've been using an APC Back-UPS XS 1300 since initially building my media server approximately 2 years ago.  Until now, however, I've been blindly trusting it will do it's thing when I have a power outage/surge/brown-out.  I have come across a method to monitor the battery pack using my favorite monitoring and admin tool, Webmin.  Here goes:
  1. Install apcupsd and the cgi tools to enable web monitoring
    1. sudo apt-get install apcupsd apcupsd-cgi
  2. Edit the config file:
    1. gksudo gedit /etc/apcupsd/apcupsd.conf
    2. # UPSCABLE <cable> section: change the value to
      UPSCABLE usb
    3. In the next section down, it currently reads DEVICE /dev/ttyS0.  This will not work with a USB cable, so change it to:
      UPSTYPE usb
      1. (leave DEVICE blank, but put the word DEVICE in there)
    4. Close apcupsd.conf, saving changes
  3. Now, tell the service that your config file has been configured:
    1. gksudo gedit /etc/default/apcupsd
    3. Close, saving changes
  4. Next, restart the apcupsd service:
    1.  sudo service apcupsd restart
  5. Download the apcupsd Webmin module from their downloads page 
    1. At the time of writing, it was named "apcupsd-0.81-2.wbm.gz".
  6. Install the apcupsd module in Webmin
    1. Login to Webmin
    2. Go to Webmin menu > Webmin Configuration > Webmin Modules
    3. Select the [...] button next to "From Local File", and locate where you downloaded it, and install.
    4. Once it is done, click Refresh Modules on the left pane above Logout
    5. Close Webmin in your browser, re-open it, and re-login
  7. Configure apcupsd in Webmin
    1. Go to Others > APC UPS Daemon > Configure Module
    2. Change to the following values:
      1. Configuration file for apcupsd: /etc/apcupsd/apcupsd.conf
      2. Time interval for update screens (in sec): 30
      3. Path to multimon.cgi: /usr/lib/cgi-bin/apcupsd/multimon.cgi
      4. Path to upsfstats.cgi: /usr/lib/cgi-bin/apcupsd/upsfstats.cgi
      5. Path to upsstats.cgi: /usr/lib/cgi-bin/apcupsd/upsstats.cgi
      6. Path to upsimage.cgi: /usr/lib/cgi-bin/apcupsd/upsimage.cgi
      7. Start apcupsd command: /etc/rc.d/init.d/apcupsd start
      8. Stop apcupsd command: /etc/rc.d/init.d/apcupsd stop
  8. That's it.  Just log out of Webmin and back in, go to Others > APC UPS Daemon, and it should look like this:
You can play around with your config file to make your computer respond to certain battery percentages (for example, shutdown with 10% remaining).  To view all options, use "man apcupsd" in the terminal.

Also, you may want to perform a trial run by unplugging your battery from the wall and seeing what it does.  If you're interested in that sort of thing, there's a good tutorial over at

If you have any issues or find this tutorial is inaccurate, please comment below.

Friday, May 31, 2013

Uploading programs to a TI-89 Titanium

I recently purchased the TI-89 software "Every Step Calculus" to help me out with a few things in my courses.  In order to make it easier for others to install the Calc 1 alongside the Calc 2 & 3 packages, I am making this tutorial.  First, I'll start out with how to do it in Windows, and then further down how to do it in Ubuntu Linux.

A short note: You will be transferring these files to the Archive portion of memory on your calculator.  In short, it will be slower than putting them in RAM.  Think of it this way: on your computer, files are stored on the hard drive.  When you want to run a program you must call it from your hard drive and put it into RAM (much faster, but not as big), allowing it to run.  The same goes for your TI-89.  However, if you can deal with waiting a couple of extra seconds, you will have many more programs available at your fingertips than the alternate method of loading only Calc I or Calc II/III in RAM.

Clear the memory on your calculator: [2nd] [6] [F1] [3] [Enter]
Install TI-Connect
Connect your TI-89 to your computer via the supplied USB cord
Open TI-Connect and select Send to TI Device:
It will open the appropriate window:
Click Select Device.  It will scan for your calculator
Once found, select USB 1:

Now, click Browse on the main window and navigate to your Calc I folder.  Select all contents and click Open:
Change each entry, line by line, from RAM to Archive:
It should end up something like this:

Now, click Send to Device
Repeat the above steps for your Calc 2&3 folder.  Remember to change it from RAM to archive on each line.
Now you will be able to call up any program from Calc 1 by typing index8() or 2 and 3 by typing index9() without having to clear your memory and re-sync your calculator.  Enjoy!

Ubuntu Linux:
(I won't be doing screenshots... if you are a linux person that enjoys screenshots, please comment below and I will update my entry)
  1. Clear the memory on your calculator: [2nd] [6] [F1] [3] [Enter]
  2. Download TiLP2 from the Software Center, Synaptic Package Manager, or from here.  There are a couple libraries that you will need (libusb and usbfs) if you download it directly from the web site, which is why I recommend to just use your package manager to satisfy all dependencies
  3. Plug in the USB cable and turn on your calculator
  4. In terminal, run sudo tilp
    1. There is a known issue with access to the libraries being denied if trying to connect via your USB cable.  I've tried it, and get the following message: "Msg: failed to open the USB device. Cause: Check that the USB cable is plugged in and that the calculator is turned ON! Also, check libusb and usbfs for valid permissions".
    2. I suppose I could change those permissions, but I haven't yet, and running from terminal doesn't bother me since it opens the GUI anyways
  5. If it opens with errors, ensure the cable is connected, it is turned on, and that you have the correct libraries (See step 1)
  6. Click the Refresh button to display your calculator's contents in the left pane
    1. If this step does not display your contents, go to File > Change Device, Click the magnifying glass to scan for your device, select what it finds in the bottom window, and click OK.  Then, click Refresh to display the contents.
  7. In the left pane, click the arrow beside Variables to minimize it
  8. In the right pane, navigate to your Calc I folder
  9. Click and drag every file over (yes, you have to do it one by one... ugh) to the Applications in the left pane.  This step will put them in Archive.  Putting them in Main will fill up your RAM and everything will not fit.
  10. Once completed, navigate to your Calc 2&3 folder in the right pane, and repeat the dragging process.
If you do not want to drag over everything, or if you think you messed up, at a minimum take the index8 / index9 as this is the main program that calls up everything else.

Now, on the calculator, type index8() [Enter] to access the Calc 1 files, and index9() [Enter] to access the Calc 2&3 files.


Saturday, May 25, 2013

Check your NMCI Outlook E-mail at Home (Windows 7)

I recently needed to send an e-mail from my address but did not want to drive the 25 minutes in to work just to fire off a letter and then come back home.  Hopefully this tutorial helps out users of the NMCI network who want to send e-mail from their personal computer.  Please be advised that even though you are able to view your Outlook account from your laptop, you should be completely certain you are on a trusted network prior to proceeding (ie, don't do this from Starbucks or a shared network WiFi hotpsot).  A trusted network is one that you own, has WPA encryption (NOT WEP, a proven unsecure and obsolete technology), and that you are fully aware has no unauthorized users connected.

CAC / PKI Reader
Windows 7 for this tutorial; it is possible on other platforms, but not covered in this article
Installed DoD certificates (covered in this article)

  1. Verify / change your Internet Options (Control Panel > Network and Internet > Internet Options)
    1. In the Advanced tab, scroll down to the Security section.  The following items should be selected:
      1. Check for publisher's certificate revocation
      2. Check for server certificate revocation
      3. Check for signatures on downloaded programs
      4. Enable DOM storage
      5. Enable Integrated Windows Authentication
      6. Enable native XMLHTTP support
      7. Use SSL 2.0
      8. Use SSL 3.0
      9. Use TLS 1.0
      10. Warn about certificate address mismatch
      11. Warn if POST submittal is redirected to a zone that does not permit posts
    2. If others are selected, that may be okay, but if you have issues come back to this step, click "Restore advanced settings", and then check "Use SSL 2.0".
  2. Download and install the DoD certificates:
    1. Chrome is not supported, so use Firefox or, I hate to say it, Internet Explorer (remember, this is the DoD we are talking about here, so they probably are not aware that Chrome exists and that IE is full of security vulnerabilities)
    2. Follow the instructions on that page.  For step 2: For me, there were quite a number of certificates to install for the first link.  In lieu of installing each one separately, I highlighted all except the "Intermediate Certification Authorities" towards the bottom, pressed the Enter key, and installed.  Once those are installed, select the Intermediate Certification Authorities and install those per the instructions.  Not sure if that actually installs all of them, but I can view my Outlook, so something worked.  If you later find out that you cannot access your account, come back to this step and install each one independently.
  3. Plug in your CAC reader.  If this is your first time, let it finish installing the drivers.
  4. Insert your CAC.
  5. Go to the NMCI Webmail link based on where you are stationed:
    1. (This step does allow the use of Chrome!)
    2. If you are unaware of the domain you connect to, look at your work computer and see what it connects to (Ctrl-Alt-Del screen)
    3. When it asks which certificate to use, use your email certificate.
      1. NADSUSEA (Navy East):
      2. NADSUSWE (Navy West, including Pearl Harbor):
      4. NAVSOC / Navy Special Warfare:
      5. NMCI-ISF (Navy ISF):
      6. PADS (Navy PADS):
      7. PADS (Navy PACOM SMR Users):
      8. Navy Medical:
    4. To see the original list, go to
      1. For this page, select your non-email certificate.
    5. If none of these links work for you, try as a last resort.  Use your e-mail certificate for this link.
If you found this helpful but in need of a correction / addition, please leave a comment and let me know.

If you have errors, try the following:
  1. Go back to Step 2 and install each certificate individually
  2. Perform Step 1.(2).
  3. Close your browser, open Internet Options in Control Panel > Network and Internet
    1. General tab: Browsing History: Delete... : temporary internet files, cookies
    2. Security tab: Ensure the Internet icon is selected, drag the bar down to Medium. Ensure Enable Protected Mode is checked
    3. Privacy: Drag the cookies bar to Medium
    4. Content: Click Clear SSL state
    5. Advanced tab: Click Restore advanced settings, and then check Use SSL 2.0
  4. Open browser and attempt again
  5. If it still does not work, Clear SSL state again, and then uncheck Use SSL 2.0.

Sunday, April 14, 2013

Keeping software RAID while reinstalling Ubuntu

A quick note on how to maintain your carefully constructed software RAID if you are wiping and reinstalling Ubuntu:

  • copy the mdadm.conf file in /etc/mdadm to somewhere safe (ie the cloud/Ubuntu One)
  • copy /etc/fstab to the same
  • Boot with your USB or CD and perform a normal Ubuntu installation*
  • Install mdadm from the repositories
  • Restore the above files and reboot+

*Be careful when running the installation setup that you do not touch your disks that contain the raid. For me, I wanted to keep /dev/sda-d untouched (my RAID 5 disks), wipe /dev/sde1 and sde2, and install on /dev/sdf1,2.  To do this you must select the "Do Something Else" option when presented with the options of how to install Ubuntu.  Ensure you format the destination of your /.

+If you changed the location of /, ensure you only copy the portion of fstab that is relevant to your RAID, otherwise you will end up with an unbootable partition because it will be looking at /dev/sd?? for your files instead of where you installed them.

Once you have added these files back, perform
sudo mount -a
To remount your filesystems.  As a note, my files are as follows:
# mdadm.conf
# Please refer to mdadm.conf(5) for information about this file.

# by default, scan all partitions (/proc/partitions) for MD superblocks.
# alternatively, specify devices to scan, using wildcards if desired.
DEVICE partitions

# auto-create devices with Debian standard permissions
CREATE owner=root group=disk mode=0660 auto=yes

# automatically tag new arrays as belonging to the local system
HOMEHOST <system>

# instruct the monitoring daemon where to send mail alerts

# definitions of existing MD arrays
ARRAY /dev/md0 UUID=9e7ab348:9594fe28:0308d362:1f0077d8

# This file was auto-generated on Thu, 12 May 2011 11:17:06 -1000
# by mkconf $Id$

# /etc/fstab: static file system information.
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sde2 during installation
UUID=c8428ebf-d359-41af-91b5-abaec4867d38 /               ext4    errors=remount-ro 0       1
# swap was on /dev/sde1 during installation
UUID=f271aec8-6337-4d13-b296-ed30d0e56da0 none            swap    sw              0       0
# Mount the RAID drives as Media
/dev/md0    /mnt/Media    ext4    defaults    0    0

Ensure you press Enter at the end of that last line, otherwise you'll get an error when performing mount -a due to there being no new line at the end of the file.